Shib logout should return to identity provider login page

This is reported by NYU. Right now, the logout button doesn't actually log the person out--if they haven't closed their browser and return to the DMPTool, they will still be authenticated. They have to close their browser to be logged out. This is a known problem with Shib, but if the user were returned to the IdP login page, NYU (and perhaps other institutions) perform some scripts to kill the session.

Comments (1)

Perry, I don't think you'd want to return to the IdP's login page. That page isn't going to have any idea of what to do with the user (there would be no previous context), and certainly wouldn't be able to log the user out. Unless someone has done something really strange with their IdP.

Effective "complete logout" is a difficult problem, and there is no great solution to it. Even exiting your browser (which was always my advice/opinion on this) doesn't completely solve the problem these days, because the "wonderful" (not, as my kids would say) folks who produce Firefox decided to retain session cookies (cookies that were only supposed to be around while the browser was active, and be deleted when the browser was exited) even if the user exits their browser. It is very difficult to get Firefox to delete those cookies. And note, this problem is not limited to Shib -- anytime you get into using WebSSO, particularly in complex environments/interactions like federated authentication present -- effective logout gets quite difficult.

If a change is to be made, it would be to support an institution specifying a page to return the user to after they chose to logout of the DMPTool. Google Apps for Education supports that for institutions that arrange for Google Apps for their campus. There are institutions that craft a special page that they send users to after they log out of a particularly secure/sensitive app (not sure the DMPTool would fall into this category, but maybe some researchers would think so); that page will also log the user out of their IdP and present a recommendation to the user that they should close and exit their browser (and how to do so to maximize the chance that you get around behaviors like Firefox's) if they want to have the maximum likelihood of being logged out of "everything".